December 04, 2007

Test Market for Identity Services and Policy

Yesterday I went to the Internet Identity Workshop at the Computer History Museum to explore one question -- if you had a test market where identity standards, infrastructure, user preferences and adoption where in place, what kinds of policies and identity services would emerge?

I hinted at this question in a recent blog post, something I'm attuned two because of two facets of my identity: my work in the technology industry and some connection to Estonia (aside, my blog post was linked to by Estonia's largest weekly). But the question is interesting for two reasons:

it leaps past the current concerns of the identity community of competing standards and adoption

it is a very real short term future in Estonia

With 1M Estonian eID smart cards, GSM SIM cards and open.id.ee in beta -- 80% of the population has adopted identity infrastructure from the top down. With OpenID enabling internet identity, support from Microsoft, Google and many Web 2.0 startups, and spawning further collaboration such as Oauth, the potential for innovative identity driven services is significant. The first phase of identity driven innovation in Estonia has yielded 89% of banking transactions online, 80% of tax returns filed electronically, legally binding eVoting, and mobile payments. Identity is the missing layer of the internet and now there is a little country that could help innovators leap ahead.

So if you assume this short term future, you get to to imagine new internet identity services for testing in a real market. You also get to think through policy considerations. Government and regulation will inevitably be involved with internet identity, especially where the trust relationship between citizen and state provide the basis for it. Even when the state provides the basis of identity, there will be other means to establish it on the net, a diversity that creates its own check and balance. Some people, particularly in the UK with its recent privacy breach, resist the natural role of government in identity. To do so not only is a barrier to constructive conversation with lawmakers, but it ignores the existing body of law around identity in the real world.

I was chatting about this with Doc Searls and he recounted a breakfast conversation with Iain Henderson, whom I met later that day. From Doc's IM:

Government sees two categories of data, especially identity data -- public and private. As in public sector and private sector. But there is also a third: user-originated. He [Iain] believes the majority of data government care about in ten years will be generated by individuals, as the point of origin, and also as the point of service integration. An analog to the multiple-silo problem is the fact that governments tend to see individuals as a collection of silos as well. There is no integration between health services, civil defense, taxation, social services, education and the rest of it. The individual needs to be equipped to be the point of integration from the data standpoint, and the point of origination for service requirements. That goes for relationships with both government and business. This is the essence of VRM, and where VRM and identity meet.

Later in hallway conversation with Doc and JP Rangaswami, JP described the need to shift the focus from data (can I get my identity data in and out from a service provider?) to relationships. He pointed out that the relationship you have with your lawyer or doctor is privileged by law so you have greater trust in sharing your identity. Identity relationships exist between citizen and state, citizen and firm, firm and state, and firm to firm. The last two hold the greatest concerns.

When you assume identity infrastructure and adoption, you can explore these policy questions. Individuals will originate an increasing amount of identity data. Could letting individuals have control over their identity relationships yield better data? Could it even be a human right in the digital age? What can we adapt from the seven laws of identity into real law? Could mandating personalized disclosure statements provide balance to relationships and begin the conversations that form real relationships between citizen and firm? Would the right forward looking policies in a test market like Estonia yield greater investment, innovation and citizen satisfaction?

Comments

Test Market for Identity Services and Policy

Yesterday I went to the Internet Identity Workshop at the Computer History Museum to explore one question -- if you had a test market where identity standards, infrastructure, user preferences and adoption where in place, what kinds of policies and identity services would emerge?

I hinted at this question in a recent blog post, something I'm attuned two because of two facets of my identity: my work in the technology industry and some connection to Estonia (aside, my blog post was linked to by Estonia's largest weekly). But the question is interesting for two reasons:

it leaps past the current concerns of the identity community of competing standards and adoption

it is a very real short term future in Estonia

With 1M Estonian eID smart cards, GSM SIM cards and open.id.ee in beta -- 80% of the population has adopted identity infrastructure from the top down. With OpenID enabling internet identity, support from Microsoft, Google and many Web 2.0 startups, and spawning further collaboration such as Oauth, the potential for innovative identity driven services is significant. The first phase of identity driven innovation in Estonia has yielded 89% of banking transactions online, 80% of tax returns filed electronically, legally binding eVoting, and mobile payments. Identity is the missing layer of the internet and now there is a little country that could help innovators leap ahead.

So if you assume this short term future, you get to to imagine new internet identity services for testing in a real market. You also get to think through policy considerations. Government and regulation will inevitably be involved with internet identity, especially where the trust relationship between citizen and state provide the basis for it. Even when the state provides the basis of identity, there will be other means to establish it on the net, a diversity that creates its own check and balance. Some people, particularly in the UK with its recent privacy breach, resist the natural role of government in identity. To do so not only is a barrier to constructive conversation with lawmakers, but it ignores the existing body of law around identity in the real world.

I was chatting about this with Doc Searls and he recounted a breakfast conversation with Iain Henderson, whom I met later that day. From Doc's IM:

Government sees two categories of data, especially identity data -- public and private. As in public sector and private sector. But there is also a third: user-originated. He [Iain] believes the majority of data government care about in ten years will be generated by individuals, as the point of origin, and also as the point of service integration. An analog to the multiple-silo problem is the fact that governments tend to see individuals as a collection of silos as well. There is no integration between health services, civil defense, taxation, social services, education and the rest of it. The individual needs to be equipped to be the point of integration from the data standpoint, and the point of origination for service requirements. That goes for relationships with both government and business. This is the essence of VRM, and where VRM and identity meet.

Later in hallway conversation with Doc and JP Rangaswami, JP described the need to shift the focus from data (can I get my identity data in and out from a service provider?) to relationships. He pointed out that the relationship you have with your lawyer or doctor is privileged by law so you have greater trust in sharing your identity. Identity relationships exist between citizen and state, citizen and firm, firm and state, and firm to firm. The last two hold the greatest concerns.

When you assume identity infrastructure and adoption, you can explore these policy questions. Individuals will originate an increasing amount of identity data. Could letting individuals have control over their identity relationships yield better data? Could it even be a human right in the digital age? What can we adapt from the seven laws of identity into real law? Could mandating personalized disclosure statements provide balance to relationships and begin the conversations that form real relationships between citizen and firm? Would the right forward looking policies in a test market like Estonia yield greater investment, innovation and citizen satisfaction?